CentOS - Nov 2008 - iptables starts blocking outbound http traffic

Hello:

I have a machine running CentOS 5 x86_64.

It is running apache httpd and tomcat.

For some reason, after running for a few days,
web requests stop responding.  It happened again
this morning.  I check the syslog and see a HUGE
number of logs like this:

OUTPUT IN= OUT=eth0 SRC=[MyIP] DST=[OutsideIP] LEN=532 TOS=0x00 PREC=0x00
TTL=64 ID=52669 DF PROTO=TCP SPT=80 DPT=54697 WINDOW=61 RES=0x00 ACK PSH FIN
URGP=0

Here are my iptables commands for http connections (I have the default
policy set to drop):

# Allow http connections from the outside world
/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport
http -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
1024: -m state --state ESTABLISHED -j ACCEPT

Here are some strange things:
1. I have the exact same rules running on two other servers which do 
	not give me any trouble.
2. If I stop and restart httpd and tomcat, the problem goes away.  This
	suggests the firewall is not a problem.

Any ideas what is going on?

Thanks,
	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

Hi,

On Thu, Nov 6, 2008 at 09:33, Neil Aggarwal <neil at jammconsulting.com>
wrote:
> # Allow http connections from the outside world
> /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport
> http -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
> 1024: -m state --state ESTABLISHED -j ACCEPT
>
> Any ideas what is going on?
If you're using ESTABLISHED, it depends on ip_conntrack being able to
track the connections. ip_conntrack keeps a table of all connections,
but this table is limited in size, so it may be overflowing.

You can see how many entries you have in that table at any moment with
this command:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

And you can see what the maximum is set with this command:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

The default in CentOS 5 is 16k connections.

IIRC, you can increase that dinamically with echo ... >/proc/sys/...
or with sysctl. Also, I believe you can set the default after a reboot
in /etc/sysctl.conf. I think it's also possible to do that in
/etc/modprobe.conf, but I'm not sure what the syntax is anymore, and
modinfo ip_conntrack didn't give me any clues. Google should help with
that.

HTH,
Filipe

Neil Aggarwal wrote on Thu, 6 Nov 2008 08:33:59 -0600:
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
> 1024: -m state --state ESTABLISHED -j ACCEPT
Why do you try to filter outbound connections at all? If "something"
makes
it on your machine the first thing they will do is drop your rules.

Kai

-- 
Kai Sch?tzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com